Cyber Incident Victim: UKs Criminal Records Office (ACRO)
Date:
Mar 2023
Location:
United Kingdom
Summary
The UK's Criminal Records Office (ACRO) experienced a cyber incident disrupting its online portal, initially attributing the disruption to maintenance. The attack caused service delays, particularly affecting police certificate applications, forcing applicants to submit requests via email. The agency took its portal offline to investigate, collaborating with national cybersecurity authorities, and maintained other critical operations for policing and international records exchanges. While ACRO reported no conclusive evidence of compromised personal data, conflicting information emerged suggesting identification details and criminal conviction records may have been impacted. All affected applicants were notified as part of the response efforts to remediate the security breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The UK’s Criminal Records Office (ACRO) experienced a cyber security incident first detected on March 21, 2023, leading to prolonged disruptions in its online services. Initial signs of operational issues emerged earlier, with the agency reporting delays in processing police certificate applications by March 20, attributing them vaguely to “heavy demands.” By March 21, ACRO publicly cited “essential website maintenance” as the reason for taking its application portal offline. Persistent technical problems followed, and the website remained inaccessible from at least March 31 onward, displaying notices blaming unresolved “technical issues.” During this period, applicants were instructed to submit requests via email, with ACRO deferring payment collection until later stages. Behind the scenes, the agency had identified a cyber incident on March 21, prompting its decision to isolate the portal. For three weeks, ACRO refrained from publicly acknowledging the breach, only confirming on April 6 via Twitter that the disruptions stemmed from a cybersecurity incident primarily affecting police certificate issuance timelines. Applicants received emails notifying them of potential impacts, with conflicting statements emerging about data exposure—while ACRO’s initial public assurances claimed no evidence of compromised personal information, the Evening Standard reported the agency privately informed affected individuals that “identification information and any criminal conviction data” may have been involved.
Upon detecting the incident, ACRO immediately took its application portal offline to contain the threat and initiated an investigation coordinated with the UK’s National Cyber Security Centre (NCSC). The agency maintained that its core law enforcement services—including criminal record exchanges with international partners and support to domestic policing operations—remained functional despite the portal’s incapacitation. Applicants faced indefinite delays due to manual processing workflows, though ACRO did not specify an expected restoration timeline. Throughout its communications, ACRO emphasized ongoing remediation efforts and reiterated that no conclusive evidence of data theft or misuse had been found. Crisis management prioritized transparency with affected applicants via direct emails while maintaining broader operational continuity for policing functions. The prolonged outage underscored systemic vulnerabilities in ACRO’s public-facing digital infrastructure, with the full scope of the incident and its root causes remaining under investigation by cybersecurity authorities as of early April.